ASIS INTERNATIONAL
Chief Security Officer – An Organizational Model
ANSI/ASIS CSO.1-2013
STANDARDAMERICAN NATIONAL
ANSI/ASIS CSO.1-2013
an American National Standard
CHIEF SECURITY OFFICER —
AN ORGANIZATIONAL MODEL
Approved November 8, 2013
American National Standards Institute, Inc.
ASIS International
Abstract
This standard is a model for organizations to use when developing a leadership function to provide a comprehensive, integrated
and consistent security/risk strategy to contribute to the viability and success of the organization. It is structured at a high level,
although specific considerations and responses are also addressed for deliberation by individual organizations based on
identifiable risk assessment and requirements, intelligence, and assumptions.
ANSI/ASIS CSO.1-2013
NOTICE AND DISCLAIMER
The information in this publication was considered technically sound by the consensus of those who engaged in the
development and approval of the document at the time of its creation. Consensus does not necessarily mean that there is
unanimous agreement among the participants in the development of this document.
ASIS International standards and guideline publications, of which the document contained herein is one, are developed through
a voluntary consensus standards development process. This process brings together volunteers and/or seeks out the views of
persons who have an interest and knowledge in the topic covered by this publication. While ASIS administers the process and
establishes rules to promote fairness in the development of consensus, it does not write the document and it does not
independently test, evaluate, or verify the accuracy or completeness of any information or the soundness of any judgments
contained in its standards and guideline publications.
ASIS is a volunteer, nonprofit professional society with no regulatory, licensing or enforcement power over its members or
anyone else. ASIS does not accept or undertake a duty to any third party because it does not have the authority to enforce
compliance with its standards or guidelines. It assumes no duty of care to the general public, because its works are not obligatory
and because it does not monitor the use of them.
ASIS disclaims liability for any personal injury, property, or other damages of any nature whatsoever, whether special, indirect,
consequential, or compensatory, directly or indirectly resulting from the publication, use of, application, or reliance on this
document. ASIS disclaims and makes no guaranty or warranty, expressed or implied, as to the accuracy or completeness of any
information published herein, and disclaims and makes no warranty that the information in this document will fulfill any
person’s or entity’s particular purposes or needs. ASIS does not undertake to guarantee the performance of any individual
manufacturer or seller’s products or services by virtue of this standard or guide.
In publishing and making this document available, ASIS is not undertaking to render professional or other services for or on
behalf of any person or entity, nor is ASIS undertaking to perform any duty owed by any person or entity to someone else.
Anyone using this document should rely on his or her own independent judgment or, as appropriate, seek the advice of a
competent professional in determining the exercise of reasonable care in any given circumstances. Information and other
standards on the topic covered by this publication may be available from other sources, which the user may wish to consult for
additional views or information not covered by this publication.
ASIS has no power, nor does it undertake to police or enforce compliance with the contents of this document. ASIS has no
control over which of its standards, if any, may be adopted by governmental regulatory agencies, or over any activity or conduct
that purports to conform to its standards. ASIS does not list, certify, test, inspect, or approve any practices, products, materials,
designs, or installations for compliance with its standards. It merely publishes standards to be used as guidelines that third
parties may or may not choose to adopt, modify or reject. Any certification or other statement of compliance with any
information in this document should not be attributable to ASIS and is solely the responsibility of the certifier or maker of the
statement.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or
by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written consent of the copyright
owner.
Copyright © 2013 ASIS International
ISBN: 978-1-934904-51-0
ii
ANSI/ASIS CSO.1-2013
FOREWORD
The information contained in this Foreword is not part of this American National Standard (ANS) and has not been processed
in accordance with ANSI’s requirements for an ANS. As such, this Foreword may contain material that has not been subjected
to public review or a consensus process. In addition, it does not contain requirements necessary for conformance to the Standard.
ANSI guidelines specify two categories of requirements: mandatory and recommendation. The mandatory requirements are
designated by the word shall and recommendations by the word should. Where both a mandatory requirement and a
recommendation are specified for the same criterion, the recommendation represents a goal currently identifiable as having
distinct compatibility or performance advantages.
ASIS International (ASIS) is the preeminent organization for security professionals, with more than 38,000 members worldwide.
ASIS is dedicated to increasing the effectiveness and productivity of security professionals by developing educational programs
and materials that address broad security interests, such as the ASIS Annual Seminar and Exhibits, as well as specific security
topics. ASIS also advocates the role and value of the security management profession to business, the media, government
entities, and the public. By providing members and the security community with access to a full range of programs and services
and by publishing the industry’s No. 1 magazine – Security Management - ASIS leads the way for advanced and improved
security performance.
The work of preparing standards and guidelines is carried out through the ASIS International Standards and Guidelines
Committees and governed by the ASIS Commission on Standards and Guidelines. An ANSI accredited Standards Development
Organization (SDO), ASIS actively participates in the International Organization for Standardization. The Mission of the ASIS
Standards and Guidelines Commission is to advance the practice of security management through the development of standards and
guidelines within a voluntary, nonproprietary, and consensus-based process, utilizing to the fullest extent possible the knowledge, experience,
and expertise of ASIS membership, security professionals, and the global security industry.
Suggestions for improvement of this document are welcome. They should be sent to ASIS International, 1625 Prince Street,
Alexandria, VA 22314-2818, USA.
Charles A. Baley, Farmers Insurance Group, Inc.
Jason L. Brown, Thales Australia
Michael Bouchard, Sterling Global Operations, Inc.
John C. Cholewa III, CPP, Mentor Associates, LLC
Cynthia P. Conlon, CPP, Conlon Consulting Corporation
William J. Daly, Control Risks Security Consulting
Lisa DuBrock, Radian Compliance
Eugene F. Ferraro, CPP, PCI, CFE, Convercent
F. Mark Geraci, CPP, Purdue Pharma L.P.
Bernard D. Greenawalt, CPP, Securitas Security Services USA, Inc.
Robert W. Jones, Socrates Ltd
Glen Kitteringham, CPP, Kitteringham Security Group Inc.
Michael E. Knoke, CPP, Express Scripts, Inc.
Bryan Leadbetter, CPP, Alcoa Inc.
Marc H. Siegel, Ph.D., ASIS International, European Bureau
Jose Miguel Sobron, United Nations
Roger D. Warwick, Pyramid International
Allison Wylde, University of Roehamptom
iii
ANSI/ASIS CSO.1-2013
At the time it approved this document, the CSO Standards Committee, which is responsible for the development of this Standard,
had the following members:
Committee Chairman: Jerry J. Brennan, Security Management Resources™
Commission Liaison: Charles A. Baley, Farmers Insurance Group, Inc.
Committee Secretariat: Susan M. Carioti, ASIS International
Christopher Aldous, CPP, PSP, Design Security Ltd
Timothy Alexander, CPP, PMP, TYCO Integrated Security
James Almeida, Solstice Marketing Concepts
Raymond Andersson, ICPS, Independent
Grant Ashley, CPP, CPA, Merck
Scott Ast, CPP, Metro Wastewater Reclamation District
Jay Beighley, CPP, CFE, Nationwide Insurance
Jody Bissonnette, CHS III, Bisonnette & Associates
John Boal, CPP, PSI, CFE, University of Akron
Michael Bodin, National Nuclear Security Administration
Julie Boost, CPP, Independent
Michael Bouchard, CPP, Sterling Global Operations, Inc.
Jason Brown, CSyP, Thales
David Bunch, CPP, Independent
Evelyn Byrd, CPP, Independent
Steve Cader, California Peace Officer, ABM Security
George Campbell, Independent
Thomas Campbell, Independent
Jeimy Cano, CFE, CMAS, COBIT Foundation, Ecopetrol
Dr.Joseph Chandler, Jr., Argus Eagle, LLC
Richard Chase, CPP, PSP, PCI, General Atomics
Chris Clarke, PMP, C Squared
Kevin Cliff, CPP, LPL Financial
Daniel Colin, CPP, Hospira
Edward Coufal, PhD, SFPC, Independent
Mark Cousins, CPP, Independent
Gary Crowe, CRCMP, Money Management International, Inc.
William Davis, CPP, Ally Financial
Eric Davoine, Independent
David Dodge, Temi Group
Martin Drew, CPP, iView Systems
Patrick Fanning, CPP, PSP, Independent
Patrick Fay, Independent
Barbara Felker, Excivity, Inc.
Ali Ferrer, PSP, Independent
iv
ANSI/ASIS CSO.1-2013
Benjamin Ferris, CPP, CISSP, CCEP, Independent
Windom Fitzgerald, CPP, CHS-III, CFE, Fitzgerald Technology Group
David Flower, PCI, Grant Thornton LLP
Thomas Forman, CPP, Federal Investigative Services, U.S. Office of Personnel Management
Walter Fountain, CPP, Schneider National, Inc.
Peter French, MBE, CPP, SSR Personnel
Nanpon Gambo, CSS, MTN Nigeria Limited
Erik Gaull, CPP, CEM, PMP, Independent
Doug Glenn, CET, PMP, SimplexGrinnell LP
Terry Godfrey, PSP, CB&I
Frank Grace, MBA, International Business, ImageGard LLC
Hector Grynberg, CPP, NOKIA
Francis Hall, CPP, PCI, Independent
David Hart, CPP, Independent
Bob Hayes, CPP, Security Executive Council
Benjamin Hayes, Independent
Arnette Heintze, Hillard Heintze
Henri Hemery, PhD, Risk & Co.
Derek Henderson, PSP, Haast Consulting Pty Ltd
Russell Hunt, Air Force Security Forces
Adam Incher, CPP, Shared Services ACT Government
Scott Jack, CPP, Baylor Health Care System
Timothy Janes, CPP, CFE, Capital One
Donald Jordan, CMAS, CHS IV, CPO, ATO Level II, Independent
Michael Kanaby, CPP, PSP, American University of the Caribbean
Richard Kelly, CPP, Ingersoll Rand
David Kennedy, CPP, CFE, City of Calgary
Owen Key, City of Calgary
L. King II, CPP, AB Volvo
Ryan Knisley, Walmart Stores, Inc.
Mark LaLonde, CKR Global
Kathy Lavinder, Security & Investigative Placement Consultants LLC
Jon LeChevet, Independent
Grant Lecky, CBCP, PCIP, Canadian Security Partners' Forum
Mathieu Leduc, PSP, Courts Administration Service
Alessandro Lega, CPP, Independent
Jeff LeMoine, CPP, General Mills
Eric Levine, WellPoint, Inc.
Stephen Lolli, CPP, Arkema Inc.
Brad MacLeod, CPP, Independent
Robert Martin, CPP, Shire
Lynn Mattice, CRISC, National Economic Security Grid
Joe Mazza, CHPP, Independent
John McCaffery, Global Vision Consultancy
v
ANSI/ASIS CSO.1-2013
Richard McCoy, CPP, CISSP, Thomson Reuters
Thomas McElroy, CPP, PCI, HSCG, LLC
McEvoy Paul, CPP, PCI, Ericsson
Marisel Melendez, Independent
Yuri Mena, All Safety Mena LLC
Paul Michaels, CPP, PSP, PCI, CISSP, The National Academies
Stephen Miller, Eclipse Identity Recognition Corporation
Jason Miller, PMP, Advantage Security Inc.
Richard Moulton, CPP, AlliedBarton Security Services
Waqar Muhammad, Independent
Donald Munday, Ed.D., University of Phoenix
Curtis Noffsinger, PSP, CPP, Securitas Security Services USA
Michael Orticelle, MPA, Caport Emergency Response and Mitigation Consultants, LLC
Michael Osborne, CPP, Kinross Gold Corporation
Ken Osinski, WellPoint, Inc.
John Petruzzi, Jr. CPP, CISM, Time Warner
John Pettit, CPP, PSP, Independent
Mark Porterfield, CPP, Whelan Security
Charles Price,Jr, CPO, Waste Control Specialists LLC
Mario Quijano, CPP, Electrolux
Petteri Rantanen, MSc in Security and Risk Mgmt, Nokia Siemens Networks
Gregory Reese, CPP, USAF
Malcolm Reid, CPP, CFE, CBCP, CORP, Brison Ltd
Ty Richmond, CPP, CFE, CRISC, Sony Pictures Entertainment
Jim Robertson, Delaware North Companies
Phillip Robinson, CGI
Frank Russell, CPP, PSP, CPI, Independent
Max Saguier, ARSEC Alliance Regionale Securite
Zulfiqar Saleemi, Secure Options Group
Jimmy Salinas, AT&T
Joseph Samuels, Independent
Jeffrey Sarnacki, Publius LLC
John Saunders, CPP, CISSP, MA, Enterprise Protection Associates
Laurie Schive, Independent
Harris Schwartz, Internet Crimes Group
Michael Scott, CPP, Apollo International
Debbie Seeger, Modine Manufacturing Company
Robbie Sinclair, CPP, MBA, Independent
Thomas Smith, UNC Health Care
Harrell Smith, Valor Security
Jerry Stanphill, CPP, Federal Aviation Administration
J. Stewart, Newcastle Consulting LLC
Mark Sullivan, CMF, Interac Association
Stephen Surfaro, Axis Communications
vi
ANSI/ASIS CSO.1-2013
Don Taussig, CPP, Land O'Lakes, Inc.
Jason Teliszczak, CPP, JT Environmental Consulting
Dennis Treece, CHS-V, Massachusetts Port Authority
Dave Tyson, CPP, CISSP, SC Johnson & Son Inc.
Shawn VanDiver, CPP, CEM, CTT+, VanDiver Consulting
Stephen Vogle, CPP, Independent
Erika Voss, Amazon Fulfillment Services
Christopher Waters, AlliedBarton Security Services
Michael White, CPP, CRM, Independent
Allan Wick, CFE, CPP, PSP, PCI, CBCP, Tri-State Generation & Transmission Association, Inc.
Reginald Williams, CISSP, CISM, CIPP/US, CPP, CAS, Independent
Robert Williams, Hackett Security
James Willison, MA, Unified Security Ltd
Rudy Wolter, CPP, CFE, CFSSP, Citigroup
Loftin Woodiel, CPP, Missouri Baptist University
A. Wunderlich, CPP, CFE, A. Dale Wunderlich & Associates, Inc.
Anthony Ybarra, U S Security Associates, Inc.
Mark Yeakley, CPP, CFE, Independent
Working Group Chairman: Jerry J. Brennan, Security Management Resources™
Christopher Aldous, CPP, PSP, Design Security Ltd
Jody Bissonnette, CHS III, Bisonnette & Associates
John Boal, CPP, PSI, CFE, University of Akron
Michael Bouchard, CPP, Sterling Global Operations, Inc.
David Bunch, CPP, Independent
Eric Davoine, Independent
Martin Drew, CPP, iView Systems
Barbara Felker, Excivity, Inc.
Benjamin Ferris, CPP, CISSP, CCEP, Independent
David Flower, PCI, Grant Thornton LLP
Peter French, MBE, CPP, SSR Personnel
Bob Hayes, CPP, Security Executive Council
Derek Henderson, PSP, Haast Consulting Pty Ltd
Adam Incher, CPP, Shared Services ACT Government
Michael Kanaby, CPP, PSP, American University of the Caribbean
Richard Kelly, CPP, Ingersoll Rand
L. King II, CPP, AB Volvo
Kathy Lavinder, Security & Investigative Placement Consultants LLC
Jon LeChevet, Independent
Alessandro Lega, CPP, Independent
vii
ANSI/ASIS CSO.1-2013
Thomas McElroy, CPP, PCI, HSCG, LLC
Paul Michaels, CPP, PSP, PCI, CISSP, The National Academies
Stephen Miller, Eclipse Identity Recognition Corporation
Curtis Noffsinger, PSP, CPP, Securitas Security Services USA
Ken Osinski, WellPoint, Inc.
Gregory Reese, CPP, USAF
John Saunders, CPP, CISSP, MA, Enterprise Protection Associates
Robbie Sinclair, CPP, MBA, Independent
Don Taussig, CPP, Land O'Lakes, Inc.
Jason Teliszczak, CPP, JT Environmental Consulting
Stephen Vogle, CPP, Independent
Michael White, CPP, CRM, Independent
Reginald Williams, CISSP, CISM, CIPP/US, CPP, CAS, Independent
Rudy Wolter, CPP, CFE, CFSSP, Citigroup
viii
ANSI/ASIS CSO.1-2013
TABLE OF CONTENTS
1 SCOPE, SUMMARY, AND PURPOSE..................................................................................................................................1
1.1 SCOPE.................................................................................................................................................................................1
1.2 SUMMARY ...........................................................................................................................................................................1
1.3 PURPOSE .............................................................................................................................................................................1
2 NORMATIVE REFERENCES ...............................................................................................................................................1
3 OVERVIEW ......................................................................................................................................................................2
4 REPORTING RELATIONSHIP .............................................................................................................................................2
5 MODEL FUNCTION ..........................................................................................................................................................2
6 KEY RESPONSIBILITIES AND ACCOUNTABILITIES..............................................................................................................5
6.1 KEY SUCCESS FACTORS ...........................................................................................................................................................6
6.2 STRATEGY DEVELOPMENT .......................................................................................................................................................6
6.3 INFORMATION GATHERING AND RISK ASSESSMENT......................................................................................................................6
6.4 ORGANIZATIONAL PREPAREDNESS..............................................................................................................................................7
6.5 SECURING HUMAN CAPITAL, CORE ASSETS, INFORMATION, & REPUTATION .....................................................................................7
6.6 INCIDENT PREVENTION...........................................................................................................................................................7
6.7 INCIDENT RESPONSE, MANAGEMENT, AND RECOVERY..................................................................................................................8
6.8 INVESTOR RELATIONS, PUBLIC AFFAIRS, AND GOVERNMENT RELATIONS ..........................................................................................8
7 KEY COMPETENCIES ........................................................................................................................................................8
8 EXPERIENCE ....................................................................................................................................................................9
9 EDUCATION.....................................................................................................................................................................9
10 COMPENSATION .........................................................................................................................................................10
A MODEL POSITION DESCRIPTION ...................................................................................................................................11
A.1 POSITION PURPOSE .............................................................................................................................................................11
A.2 KEY RESPONSIBILITIES ..........................................................................................................................................................11
A.3 KEY SKILLS AND COMPETENCIES .............................................................................................................................................12
A.4 QUALIFICATION GUIDELINES..................................................................................................................................................12
B TERMS AND DEFINITIONS .............................................................................................................................................13
C REFERENCES..................................................................................................................................................................14
D USEFUL WEBSITES.........................................................................................................................................................15
TABLE OF TABLES
TABLE 1 - PROFILE OF THE FUNCTION’S EXECUTION.................................................................................................................................4
TABLE 2 – SUMMARY OF REQUIRED SKILLS ............................................................................................................................................5
ix
ANSI/ASIS CSO.1-2013
This page intentionally left blank.
x
AMERICAN NATIONAL STANDARD ANSI/ASIS CSO.1-2013
1. SCOPE, SUMMARY, AND PURPOSE
This model is applicable to the private, public, and not-for-profit sector organizations. The model
provides a structure to evaluate and define the role and necessary aptitude for the security/risk
management function in an organization. It provides a methodology to evaluate and respond to
a dynamic spectrum of threats to tangible and intangible assets on both a domestic and global
basis.
This model is presented at a high-level and designed as an organizational guide for the
development and implementation of a strategic security framework. The structure is
characterized by appropriate awareness, prevention, preparedness, and necessary responses to
changes in threat conditions. Specific considerations and responses are also addressed for
deliberation by individual organizations based on identifiable risk assessment, requirements,
intelligence, and assumptions.
This standard is a model for organizations to use when developing a leadership function to
provide a comprehensive, integrated, and consistent security/risk strategy to contribute to the
viability and success of the organization. This model refers to this leadership function as the
senior security executive. Some organizations designate this role/function as the Chief Security
Officer (CSO). The CSO designation is a concept descriptor and not necessarily a
recommendation for the position title. This role/function may be a standalone position or as one
that has been incorporated within an existing senior-level executive's accountability to the
organization's leadership team.
2. NORMATIVE REFERENCES
The following documents contain information which, through reference in this text, constitutes
foundational knowledge for the use of this American National Standard. At the time of
publication the editions indicated were valid. All material is subject to revision and parties are
encouraged to investigate the possibility of applying the most recent editions of the material
indicated below.
ASIS International ANSI. (2008). Chief Security Officer organizational standard. [Online].
Available:
< > [2008, October].
1
ANSI/ASIS CSO.1-2013
3. OVERVIEW
Businesses, public and private organizations and associations continue to experience dynamic
and complex risk environments. The effective management of these environments is a
fundamental requirement today and will continue into the future. Boards of Directors,
shareholders, stakeholders, and the public all expect organizations and government agencies to
anticipate, manage areas of risk, and set in place a comprehensive and cohesive strategy across
all functional lines. In addition, it is expected an organization’s leadership will respond quickly
and effectively to events and incidents that threaten organizational assets and operations. Thus,
a proactive strategy for security/risk mitigation supports sustainable, healthy, productive
organizations and is a critical responsibility of senior leadership and governing boards.
The goal of this model is to define the skills and competencies that are essential to the active
protection of an organization and to produce effective responses to a dynamic and emerging
threat environment. Effective leadership across all levels of an organization, especially within its
security functions, is imperative. Organizational and brand reputation, the uninterrupted
reliability of the technical infrastructure and normal business processes, the protection of physical
and financial assets, the loss or compromise of intellectual properties and trade secrets, the safety
of employees and customers, and the preservation of shareholder confidence all rely, to a large
degree, upon the effectiveness of a responsible and accountable senior executive.
The complexity of risk environments creates a diverse matrix of interrelated threats,
vulnerabilities, and impacts; therefore, the safeguards against these risks are interdependent at
all levels. A successful model for organizations is to have a designated single point of
accountability at the senior governance level with responsibility for crafting, influencing, and
directing an organization-wide security/risk strategy. In these organizations, accountability is
clearly defined and supports role imperatives. The ability to influence strategy and address
matters of internal and external risk exposures requires such a leadership role.
4. REPORTING RELATIONSHIP
It is strongly recommended that the position report to a key senior-level executive of the
organization so as to ensure a strong liaison with designated leadership bodies such as the Board
of Directors and its operating committees or in the appointed and/or elected governing public
agency councils, oversight committees, boards or designee(s). This alignment within the
organizational hierarchy should signal executive commitment, support, and the importance of
such a role.
5. MODEL FUNCTION
Table 1 illustrates the scope of an organization’s security/risk program, including functional areas
of responsibility, key processes, and discussion of work elements that should be found within an
organization. It is not intended to be a complete road map for every program and initiative within
a given process since these should be customized and would naturally vary based on numerous
geographical, political, cultural, industry sector, legal, and other specific requirements.
2
ANSI/ASIS CSO.1-2013
Leadership should clearly establish strategic accountability and exert effective influence on the
security and risk mitigation activities of the organization in order to achieve organizational goals
and objectives. Governance may take the form of a single Enterprise Risk Management Council;
separate risk committees to address key risk areas or processes; actual managerial and budgetary
accountability and/or various combinations to better align with and adjust to evolving
organizational structures. Each organization’s unique culture, business model, public purpose,
and/or needs should guide specific decisions establishing the best structure. This model is
intended to assist any organization considering its best approaches and provide guidance on
placement of the role, the skills, and competencies required within the organization.
While many different approaches may be taken to align the role within an organization’s culture,
to aid in understanding and facilitating the design and implementation, this model presents a
representative framework (see Table 1) and position description (see Annex A).
3
ANSI/ASIS CSO.1-2013
Table 1 - Profile of the Function’s Execution
Major Areas of Risk to the Viability & Survivability of an Organization
COMPLIANCE OPERATIONS FINANCIAL STRATEGIC
REPUTATION
Key Risk Process Elements
Governance Risk Intelligence
Human Capital Brand Protection
Information Supply Chain & Logistics
Financial Assets Channel & Market
Physical Assets Resiliency & Continuity of Operations
Ethics & Values Competencies & Characteristics of Executive Leader Integrity & Trust
Business Acumen
Comfort Around Higher Management Strategic Agility Written Communications
Customer Focus Decision Quality Dealing With Ambiguity
Organizational Agility Building Effective Teams Managing Vision & Purpose
Presentation Skills Managerial Courage Motivating Others
Problem Solving Composure Interpersonal Savvy
Listening Political Savvy Developing Direct Reports &
Others
*Copyright 2012,Premier Profiling & Mattice Associates, Used by Permission
4
ANSI/ASIS CSO.1-2013
Table 2 – Summary of Required Skills
Relationship Leader Summary of Skills Required
Executive Management Develops, influences and nurtures trust-based relationships with business unit leaders, government
and Leadership officials, and professional organizations. Acts as a consultant to all organizational clients.
Subject Matter Expertise
Builds, motivates, and leads a professional team attuned to organizational culture, responsive to
Governance Team Member business needs, and committed to integrity and excellence.
Risk Executive Provides or sees to the provision of technical expertise appropriate to knowledge of risk, security, and
Strategist the cost-effective delivery of mitigation solutions.
Creative Problem Solver Provides leadership and active support to the organization’s governance team to ensure risks are made
known to senior management and oversight groups.
Identifies, analyzes, and communicates on business and security-related risks to the organization.
Develops a comprehensive risk profile of the organization in collaboration with key stakeholders,
along with strategies to assist the organization in managing and mitigating current and emerging risks.
Aids competitiveness and adds value by contributing dynamic, real-time critical thinking and
solutions that enable the organization to “prevent” disruptions from occurring and minimize damage
when they do occur. Engages in business processes to mitigate risk and is a positive change agent on
behalf of organizational protection.
6. KEY RESPONSIBILITIES AND ACCOUNTABILITIES
The senior security executive should be a full partner in the governance infrastructure of the
organization. If a comprehensive assessment of any areas of risk (see Table 1) supports the need
for a function-specific security role, the assignment of high-level accountability better ensures an
integrated, comprehensive security/risk strategy, with less duplication of effort and stronger
fiscal management.
A core responsibility for effective program and policy development is the management of
positive working relationships among stakeholder and client groups. Front-line accountability
for protecting the organization should reside with the leader of each operating unit, with the
appropriate organization’s security function providing the risk assessment, policy, and
supporting infrastructure to those leaders.
The senior security executive should be recognized as the organization’s authority on
security/risk related matters. Expertise across all domains is not expected, however it is
paramount that the individual leverage competencies, experiences, and advanced working
knowledge of contemporary security/risk management, practices, protocols and applications.
An effective model is a hybrid one that takes into consideration the senior security executive’s
combined leadership talent, business acumen (i.e., background in business or a governance
function), and subject matter expertise. Leadership of a multi-faceted security program requires
generalist knowledge, including a relevant background at a senior level within a business,
governance function, or some element of the security mission. These attributes and skills or a
combination thereof should be given strong consideration in the selection of the senior security
executive. Ultimately, the individual’s resourcefulness, credentials, and credibility within the
organization, and the vision to craft an integrated, multi-faceted risk mitigation strategy, depends
5
ANSI/ASIS CSO.1-2013
on the individual’s ability to understand, value, and articulate the varied risks and threats facing
an organization in the context of organizational impact.
The ability to build sustainable competitive advantages through pragmatic, innovative,
and business-focused security solutions.
The ability to maintain integrity and principles under internal and/or external pressure.
High-level analytical skills, management experience, and exceptional relationship
management competencies.
Qualitative experience in strategic planning and/or policy development at a senior
leadership level.
The ability to anticipate, investigate, influence, and assist the organization in its ability to
assess and rapidly adapt to changing conditions and trends of importance (multi-
functional, both internal and external) in light of the overall direction of the organization.
Effectiveness in developing, communicating, and executing recommended courses of
action for innovative, business-oriented responses.
A commitment to excellence and a demonstrable orientation toward successful staff
development.
Ability to establish and implement performance measurement criteria and assess results.
In tandem with organizational leadership, the senior security executive will conceptualize,
illustrate, develop, implement, and continuously renew an overall strategy that demonstrates the
various processes needed to understand the nature and probability of all risk events within the
organization. The strategy should outline, in detail, the plans to prevent and prepare for an
adverse event -- including awareness, training, exercises, and methodologies to infuse
contemporary security/risk programs and processes throughout the organization. The strategy
should also include methods for continuity and recovery of business operations after any
security-related or other catastrophic event. The senior security executive should be capable of
clearly communicating this strategy, its costs, benefits and related impact to the highest levels of
the organization.
The senior security executive is responsible and accountable for systematically gathering,
assessing, and synthesizing information related to a wide range of security-related events and
threats specific to the organization and its various operations, which may adversely affect the
security and safety of personnel and the profitability or reputation of the organization.
6
ANSI/ASIS CSO.1-2013
In addition, the individual should also determine the probability and impact of security-related
incidents, threats, and develop appropriate strategies consistent with sound business judgment
employing controls to prevent negative impacts on the organization. The information necessary
to develop these assessments and preventive strategies should come from multiple sources. The
senior security executive should be capable of making the links between disparate pieces of
information in order to understand and assess the data’s importance to the security of the
enterprise. The individual in this role should understand and be familiar with both human capital
skills and technological aids that can assist in this process, and possess both conceptual and
critical thinking skills to prioritize risks and develop appropriate preventive strategies across the
organization. This implies the ability to successfully operate independently in fast-paced, matrix-
management environments, requiring a high tolerance for ambiguity, and positive political skills
to drive programs or projects to completion.
The senior security executive is also responsible and accountable for ensuring the enterprise is
prepared for events or circumstances with the potential to disrupt the continuity of business
operations. For example, these events include deliberate attacks (physical, cyber and information)
targeted at the organization; catastrophic events (hurricanes, tornados, earthquakes, etc.), or
related significant security incidents that might include white collar crime -- such as fraud, theft,
product tampering, sabotage, etc.).
Preparation for these events should involve the development, implementation, and
administration of policies, plans, programs, procedures, and exercises to establish baseline
organizational responses. The process of performance management, to include regular periodic
review, testing, and evaluation of organizational readiness in the event of disruptive attacks or
events, is a key responsibility.
The protection of the organization’s integrity, human capital, processes, information, reputation
and other critical assets from harm and loss is a key responsibility. While guarding the financial
and physical assets of the enterprise (i.e., cash, facilities, and equipment), it is important that the
senior security executive should also be able to counter the potential risks involved in the loss of
intangible assets (i.e., reputation and customer and client confidence), intellectual property,
confidential information, and trade secrets. Human capital here includes leadership and external
directors, employees, customers, and others the organization has a duty to protect.
The senior security executive should be expected to identify and understand the nature of
security/risks in the business environment, as well as the application of appropriate controls and
countermeasures to mitigate those risks. This requires an understanding of how and when to
enlist the support of external resources and other staff functions such as: information technology,
risk management, internal audit, controllers, legal, and human resources to mitigate the various
risks to the business.
7
ANSI/ASIS CSO.1-2013
Another key responsibility of the role is the analysis of information and the coordination of
activities with persons inside and outside the organization to identify, prevent, and / or mitigate
attacks and catastrophic events.
The senior security executive plays a leading role in the strategic oversight of preparations,
detection and analysis of incidents, as well as containment, mitigation, eradication, recovery
plans, and post incident activities. In order to ensure that incident management policies, plans,
processes, and reports are in place throughout the organization, the senior security executive
facilitates the creation, maintenance, and periodic evaluation of an incident, attack or
catastrophic event.
The senior security executive may have a role in both internal and external communications. This
may involve coordination, liaison, and participation with those responsible for investor relations
including public affairs, finance, human resources, operations, and government relations. The
senior security executive may serve as an external representative of the organization by
participating in media interviews and testifying before government agencies.
7. KEY COMPETENCIES
The senior security executive should be more strategic than tactical. A high degree of integrity,
ethics, responsibility, and dedication, as well as the ability to calmly facilitate the appropriate
resolution of ethical, risk and crisis situations is required. The ability to programmatically and
holistically analyze, understand, and explain the value of security/risk initiatives to senior
leadership colleagues and board members is a key requirement of the position. While related
technical skills are important, the emphasis for the role will be on the strategic, organizational
positioning, business, and interpersonal abilities.
8
ANSI/ASIS CSO.1-2013
The following list provides key attributes associated with effective senior security executives1.
Inspiring Others PERSONAL & INTERPERSONAL
Acting with Honor & Character Building Effective Teams
Managing Vision
Motivating Others
Ethics & Values
Integrity & Trust
Being Open & Receptive Composure
Being Organizationally Savvy ORGANIZATIONAL POSITIONING
Communicating Effectively Organizational Agility
Written Communication
Making Complex Decisions STRATEGIC Problem Solving
Creating New & Different Solutions Strategic Agility
Source: "Identifying High-Performance Security Professionals Using a Competency Model." For information on
obtaining complete list, see Annex C or footnote below.
8. EXPERIENCE
The senior security executive will serve as a trusted advisor to leadership, and should have the
breadth and diversity of experiences consistent with the demands of the position and the
organization’s security/risk exposures. The role requires the individual to have the demonstrated
ability, knowledge, and experience to articulate, evaluate, and implement security/risk strategies
in the context of the organization’s core purpose and culture. The individual should have a track
record of success in a leadership role with the proven ability to collaborate, lead teams and
develop partnerships.
Depending on the organization’s profile and vision, this individual may serve as an architect for
the security program or change agent who ensures adherence to best practices. The
demonstration of successful international experience and multi-lingual capabilities may also be
required.
9. EDUCATION
This is an executive leadership role. As with other senior roles, there are significant expectations
for the levels of education and experience of the applicant. Advanced education and degrees
should be highly valued, and reflect the knowledge that would likely enhance the individual’s
value across many environments. The benefits of educational credentials would ideally align with
the organization’s culture and mission.
1 Excerpted from "Identifying High-Performance Security Professionals Using a Competency Model," Laura E. Larson,
2012, available from the author at [email protected].
9
ANSI/ASIS CSO.1-2013
Given the dynamic nature of security governance, an emphasis on life-long learning and
continuous professional development is desirable. Initiatives may include academic programs
resulting in advanced degrees or certificates, as well as specialized training, peer learning and the
attainment of relevant certifications.
10. COMPENSATION
The compensation options for this executive level role vary. Benchmarking, consulting with
executive search specialists, and reviewing high-quality analyses or studies, may be of value. As
a point of reference, salary studies of similar roles are conducted annually in cooperation with
the compensation departments of numerous organizations. Compensation packages should be
comparable to other organizational executive leadership roles at the same level with similar
accountabilities.
10
ANSI/ASIS CSO.1-2013
Annex A
(informative)
A. MODEL POSITION DESCRIPTION
The senior security executive is accountable for the identification, development, implementation, and
management of the organization’s [global] security/risk strategies and related programs.
In cooperation with the organization’s executive leadership team(s), directs the development of
an effective strategy to assess and mitigate risk (foreign and domestic), manage crises and
incidents, maintain continuity of operations, and safeguard the organization.
Directs staff in identifying, developing, implementing, and maintaining security processes,
practices, and policies throughout the organization to reduce risks, respond to incidents, and limit
exposure and liability in all areas of information, financial, physical, personal, and reputational
risk.
Ensures the organization’s compliance with the local, national, and international regulatory
environments where applicable to the accountability of this role (i.e. privacy, data protection, and
environmental, health and safety).
Researches and deploys state-of-the-art technology solutions and innovative security
management techniques to safeguard the organization’s personnel and assets, including
intellectual property and trade secrets. Establishes appropriate standards and associated risk
controls.
Develops relationships with high-level officials in law enforcement [and international
counterparts] to include in-country security [and international security agencies], intelligence,
and other relevant governmental functions as well as private sector counterparts [worldwide].
Through subordinate managers and/or other external resources, coordinates and implements site
security, operations, and activities to ensure protection of executives, managers, employees,
customers, stakeholders, visitors, etc., as well as all physical and information assets, while
ensuring optimal use of personnel and equipment.
2 Bracketed items are dictated by each organization’s scope.
11
ANSI/ASIS CSO.1-2013
Senior leadership skills to provide direction to the management and professional staff within the
organization.
Ability to understand, interpret, analyze, and develop consensus within an organizational
climate of diverse operational activities and often-conflicting regulations, imposed by agencies
with regulatory jurisdiction.
Ability to effectively communicate with all levels of the organization (including briefing executive
management, governance board committees and oversight groups) on the status of security and
issues surrounding enterprise risk management decisions.
High-level analytical skills, leadership experience, and exceptional relationship management
competencies to understand impact and sensitivity of security issues.
Demonstrated commitment to lead personnel in education and training advancement.
At least 3-5 years of direct experience in a significant senior level executive leadership role.
Demonstrated ability to develop and manage the functional duties of an executive position and
manage an expense budget.
Advanced degree (or equivalent) in an area of study relevant to this role, and at least 10-15 years
of relevant experience.
Demonstrated experience and exposure in the [international]3 security arena dealing with
security/risk related issues, based on the scope and reach of the organization.
3 Bracketed items are dictated by each organization’s scope.
12
ANSI/ASIS CSO.1-2013
Annex B
(normative)
B. TERMS AND DEFINITIONS
Change Agent: An individual who is willing to challenge established business processes and procedures
in the pursuit of excellence.
Chief Security Officer (CSO): A senior executive level function responsible for providing
comprehensive, integrated risk strategies (policy, procedures, management, training, etc.) to help protect
an organization from a wide spectrum of threats.
Financial and Physical Assets: Includes such things as facilities, equipment, technology, software,
inventory, land, transportation vehicles, investments, financial accounts & instruments and on-hand
cash.
Human Capital: Includes organization staff (leadership, directors, managers, employees), customers,
and any others the organization has a duty to protect.
Intangible Assets: Includes such things as reputation, customer confidence, client confidence, trade
secrets, intellectual property, and goodwill.
Security Function: Describes the collective program functions within any public, private, or not-for-
profit organization that is accountable for supporting the designated leaderships' fiduciary obligation to
protect the human, physical and intellectual, tangible and intangible assets as well as other obligatory
interests of the organization.
Senior Security Executive: see Chief Security Officer.
Subject Matter Expertise: Competencies, experiences, and advanced working knowledge of
contemporary tradecraft, practices, and applications related to the topic of interest.
13
ANSI/ASIS CSO.1-2013
Annex C
(informative)
C. REFERENCES
Booz Allen Hamilton. (2005). Convergence of enterprise security organizations, [Online]. Available:
< http://www.boozallen.com/media/file/convergence_enterprise_security_orgs.pdf > [2005, November
8].
Booz Allen Hamilton. (2006). Convergence of enterprise security organizations: International views: an
addendum to the 2005 study. [2007, November 1].
Business Roundtable. (2005). Committed to protecting America: CEO guide to security challenges [revised
2007]. [Online]. Available:
< http://www.cj.msu.edu/~outreach/wmd/ceo_guide.pdf >, [2008, April 16].
The Conference Board. (2012). Leveraging Corporate Security for Business Growth and Improved
Performance: The Transformative Effect of 9/11. [Online]. Available: <www.conferenceboard.org>
Deloitte & Touche LLP Canada. (2007). The convergence of physical and information security in the context of
enterprise risk management. Rolling Meadows, IL: The Alliance for Enterprise Security Risk Management.
[2007, November 1].
Identifying High-Performance Security Professionals Using a Competency Model. (2012) Laura E.
Larson, Premier Profiling, Brooklyn, NY, available at [email protected].
Enterprise Risk Management – Integrated Framework (2004), Committee of Sponsoring Organizations
of the Treadway Commission [Online]. Available:
<http://www.coso.org/ERM-IntegratedFramework.htm> [2004 September].
14
ANSI/ASIS CSO.1-2013
Annex D
(informative)
D. USEFUL WEBSITES
ASIS International. < >
Business Roundtable. < >
Committee of Sponsoring Organizations of the Treadway Commission < http://coso.org/>
Council on Competitiveness. < >
15
ASIS International (ASIS) is the preeminent
organization for security professionals, with more
than 38,000 members worldwide. Founded in 1955,
ASIS is dedicated to increasing the effectiveness and
productivity of security professionals by developing
educational programs and materials that address
broad security interests, such as the ASIS Annual
Seminar and Exhibits, as well as specific security
topics. ASIS also advocates the role and value of the
security management profession to business, the
media, governmental entities, and the general public.
By providing members and the security community
with access to a full range of programs and services,
and by publishing the industry’s number one
magazine, Security Management, ASIS leads the way
for advanced and improved security performance.
For more information, visit www.asisonline.org.
1625 Prince Street
Alexandria, Virginia 22314-2818
USA
+1.703.519.6200
Fax: +1.703.519.6299
www.asisonline.org
The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
Discover the best professional documents and content resources in AnyFlip Document Base.
Search
stdcso13
- 1 - 32
Pages: